What the NSA Chief Didn't Tell Black Hat

When NSA chief Gen. Keith Alexander addressed Black Hat earlier this year, he painted a rosy picture of how well the agency controls access to its phone record database, but he never brought up cases when those controls broke down, unauthorized access was made and data was shared among analysts who shouldn't have seen it.

Documents just released by the government say that far from being a well-oiled machine Alexander described to the security conference last month, the so called business-record metadata gathering program was repeatedly misused, data about activity on certain phone lines was accessed without appropriate authorization and that no single person at the NSA understood the technicalities of the system architecture.

At Black Hat, Alexander described the measures taken to ensure that call-detail records gathered by the NSA and stockpiled in a database for five years at a time as well guarded and queried only if there is "reasonable actionable suspicion" that a specific phone number was linked to foreign terrorists.

"The database is like a lockbox," Alexander said at the time. "The controls that go on this database are greater than any data repository in government, and the oversight is the same."

The database consists of date and time of calls, calling number or IP address, called number or IP address, duration of calls or length of emails and the origin of the metadata information. The NSA vacuums up this data from service providers on all calls and taps into it only under controlled circumstances or at least that's how it is supposed to work.

But in 2009 the NSA list of phone numbers being checked consisted mostly of numbers that had not met the reasonable actionable suspicion standard, according to a March 2, 2009 order by FISC Judge Reggie B. Walton.

One problem was that for years, nobody at the NSA understood the system in its entirety. "In fact," Walton wrote, "the government acknowledges that, as of August 2006, "there was no single person who had a complete understanding of the BR FISA system architecture.""

One of the NSA's excuses was that it thought the reasonable actionable suspicion rule applied only to data residing in certain NSA databases, not to data rolling in from service providers about calls being made day-to-day. "That interpretation of the Court's Orders strains credulity," Walton wrote. If that interpretation were accurate, it would mean the rule was merely optional, he wrote.

The NSA further argued that this misuse of the database wasn't surprising because that's how data gathered from other sources is handled. That means the root problem was not that there was a misunderstanding between the NSA and the court, but that the NSA decided on its own that the court-approved rules didn't apply, Walton wrote.

In contrast, at Black Hat Alexander said NSA analysts faithfully follow the court's rules about whether phone numbers can be run through the database. "They have to prove that that meets a standard set by the court that this has that counterterrorism nexus with Al Qaeda related groups," he said. "Then and only then is that number added to a list that can be queried."

The Electronic Frontier Foundation, whose freedom of information requests forced the release of the court documents, interprets the NSA actions as scouring the database to discover reasonable articulable suspicion about certain phone numbers.

"The NSA decided, independently, that it could run searches on the database to develop the basis for the reasonable articulable suspicion. Hence, the NSA was conducting suspicionless searches for information to obtain the court-required basis to search for that information," the EFF's Kurt Opsahl blogs.

Walton again jumped all over the NSA for distributing query results to 136 NSA analysts who weren't properly trained, according to a Sept. 25, 2009 order. That incident was reported Sept. 21, 2009 and a similar incident was reported two days later by the same Department of Justice attorney.

"The Court is deeply troubled by the incidents described above, which have occurred only a few weeks following the completion of an "end to end review" by the government of NSA's procedures and processes for handling the [business record] metadata, and its submission of a report intended to assure the Court that NSA had addressed and corrected the issues giving rise to the history of serious and widespread compliance problems in this matter and had taken the necessary steps to ensure compliance with the Court's orders going forward," Walton wrote.

Here is Alexander's spin on the end-to-end review as presented at Black Hat: "In 2009 in our discussions with the president when he first came onboard we talked to him about these programs and the issue was how do we know the compliance is there and what more could we do. We stood up working with the committees in Congress a directorate of compliance. This directorate of compliance is headed by legal professionals and information specialists that can look at everything that we do in these programs and ensure they comport with the court orders. But we also have oversight from the director of national intelligence, general counsel and IG from the defense department, from the Department of Justice, from the White House, from Congress - the intel committees - and from the courts. ... Our people have to take courses and pass exams to use this data."

What Alexander said at Black Hat doesn't accurately represent what happened in 2009. It may be a faithful portrayal of how the system works today, but there's no way to tell. "[D]eclassifying 2009 data is helpful, but casts no real light on current activities of the NSA and related agencies," says Dave Jevans, CTO and founder of Marble Security, an enterprise mobile security provider. "This is still a mystery, and is likely to remain so for quite some time."

Tim Greene covers Microsoft and unified communications for Network World and writes the Mostly Microsoft blog. Reach him at tgreene@nww.com and follow him on Twitter@Tim_Greene.